Increasing ACM destruction timeout

[jareware]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7
+ provider.aws v1.18.0
+ provider.grafana v1.0.2
+ provider.influxdb v1.0.1
+ provider.null v1.0.0

Affected Resource(s)

• aws_cloudfront_distribution
• aws_acm_certificate

Expected Behavior

Destroying an aws_cloudfront_distribution and a aws_acm_certificate that's being used with that distribution results in the destruction of both.

Actual Behavior

Destroying aws_cloudfront_distribution takes longer than the timeout of the destruction of aws_acm_certificate. Thus, the apply fails, with only the aws_cloudfront_distribution destroyed. Running it again will immediately succeed in destroying the aws_acm_certificate, since it's no longer used.

References

• Deleting ACM certificate fails with ResourceInUseException by a deleted ELB. #3866

[tomelliff]

How are you referring to the ACM certificate in your Cloudfront distribution?

If you had something like:

resource "aws_acm_certificate" "ssl_certificate" {
  ...
}

# ACM validation stuff here...

resource "aws_cloudfront_distribution" "distribution" {
  ...
  viewer_certificate {
    acm_certificate_arn      = "${aws_acm_certificate.ssl_certificate.arn}"
    ssl_support_method       = "sni-only"
    minimum_protocol_version = "TLSv1.2_2018"
  }
}

Then I'd expect Terraform to realise it needs to complete the destruction of the Cloudfront distribution before starting the destruction of the ACM certificate.

[jareware]

I'm doing exactly that AFAICT:

resource "aws_cloudfront_distribution" "this" {
  aliases = ["${var.cloudfront_dns_domain}"]

  // (other cloudfront config goes here)

  viewer_certificate {
    acm_certificate_arn      = "${aws_acm_certificate_validation.this.certificate_arn}"
    ssl_support_method       = "sni-only"
    minimum_protocol_version = "TLSv1.1_2016"
  }
}

resource "aws_acm_certificate" "this" {
  provider          = "aws.acm_provider"             # because ACM needs to be used in the "us-east-1" region
  domain_name       = "${var.cloudfront_dns_domain}"
  validation_method = "DNS"
}

// (cert validation goes here)

resource "aws_acm_certificate_validation" "this" {
  provider                = "aws.acm_provider"                             # because ACM needs to be used in the "us-east-1" region
  certificate_arn         = "${aws_acm_certificate.this.arn}"
  validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}

Unless I'm overlooking something..?

[bflad]

Can you please provide the terraform apply output? It looks like you're correctly referencing resources above so ordering should be performed correctly (e.g. delete CloudFront Distribution then delete ACM Certificate).

[jareware]

Finally had time to try this again, but couldn't actually reproduce it this time:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  - module.play.module.play_cloudfront_temp.aws_acm_certificate.this

  - module.play.module.play_cloudfront_temp.aws_acm_certificate_validation.this

  - module.play.module.play_cloudfront_temp.aws_cloudfront_distribution.this

  - module.play.module.play_cloudfront_temp.aws_route53_record.cert_validation

  - module.play.module.play_cloudfront_temp.aws_route53_record.ipv4

  - module.play.module.play_cloudfront_temp.aws_route53_record.ipv6


Plan: 0 to add, 0 to change, 6 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.play.module.play_cloudfront_temp.aws_route53_record.ipv6: Destroying... (ID: Z2QE1234567890_play-temp.example.com_AAAA_example-play)
module.play.module.play_cloudfront_temp.aws_route53_record.ipv4: Destroying... (ID: Z2QE1234567890_play-temp.example.com_A_example-play)
module.play.play_cloudfront_temp.aws_route53_record.ipv4: Still destroying... (ID: Z2QE1234567890_play-temp.example.com_A_example-play, 10s elapsed)
module.play.play_cloudfront_temp.aws_route53_record.ipv6: Still destroying... (ID: Z2QE1234567890_play-temp.example.com_AAAA_example-play, 10s elapsed)
module.play.play_cloudfront_temp.aws_route53_record.ipv6: Still destroying... (ID: Z2QE1234567890_play-temp.example.com_AAAA_example-play, 20s elapsed)
module.play.play_cloudfront_temp.aws_route53_record.ipv4: Still destroying... (ID: Z2QE1234567890_play-temp.example.com_A_example-play, 20s elapsed)
module.play.play_cloudfront_temp.aws_route53_record.ipv6: Still destroying... (ID: Z2QE1234567890_play-temp.example.com_AAAA_example-play, 30s elapsed)
module.play.play_cloudfront_temp.aws_route53_record.ipv4: Still destroying... (ID: Z2QE1234567890_play-temp.example.com_A_example-play, 30s elapsed)
module.play.play_cloudfront_temp.aws_route53_record.ipv6: Still destroying... (ID: Z2QE1234567890_play-temp.example.com_AAAA_example-play, 40s elapsed)
module.play.play_cloudfront_temp.aws_route53_record.ipv4: Still destroying... (ID: Z2QE1234567890_play-temp.example.com_A_example-play, 40s elapsed)
module.play.play_cloudfront_temp.aws_route53_record.ipv6: Still destroying... (ID: Z2QE1234567890_play-temp.example.com_AAAA_example-play, 50s elapsed)
module.play.play_cloudfront_temp.aws_route53_record.ipv4: Still destroying... (ID: Z2QE1234567890_play-temp.example.com_A_example-play, 50s elapsed)
module.play.module.play_cloudfront_temp.aws_route53_record.ipv6: Destruction complete after 59s
module.play.module.play_cloudfront_temp.aws_route53_record.ipv4: Destruction complete after 59s
module.play.module.play_cloudfront_temp.aws_cloudfront_distribution.this: Destroying... (ID: E2U91234567890)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 10s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 20s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 30s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 40s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 50s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 1m0s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 1m10s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 1m20s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 1m30s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 1m40s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 1m50s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 2m0s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 2m10s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 2m20s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 2m30s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 2m40s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 2m50s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 3m0s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 3m10s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 3m20s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 3m30s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 3m40s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 3m50s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 4m0s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 4m10s elapsed)
module.play.play_cloudfront_temp.aws_cloudfront_distribution.this: Still destroying... (ID: E2U91234567890, 4m20s elapsed)
// ...

I'll just chalk this up as me doing something silly the first time around, and close the issue.

Sorry for wasting your time!

Tangentially, the CF destroy actually failed in the end with the same error as in #1074, but 99,9% sure it has nothing to do with this specific issue.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!